libclamav: integrate ldb sigs with icon matcher

16 years ago · 0f7ba61742
parent 8ea83d1366
commit 0f7ba61742
4 changed files with 37 additions and 1 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+Mon Dec 14 17:16:07 CET 2009 (tk)
+---------------------------------
+ * libclamav: integrate ldb sigs with icon matcher
+
 Mon Dec 14 15:04:45 CET 2009 (tk)
 ---------------------------------
 * sigtool: fix some messages (bb#1777)
--- a/libclamav/matcher.c
+++ b/libclamav/matcher.c
@ -46,6 +46,7 @@
 #include "default.h"
 #include "macho.h"
 #include "fmap.h"
+#include "pe_icons.h"

 int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata)
 {
@ -322,6 +323,16 @@ int cli_checkfp(int fd, cli_ctx *ctx)
    return 0;
 }

+static int matchicon(cli_ctx *ctx, const char *grp1, const char *grp2)
+{
+	icon_groupset iconset;
+
+    cli_icongroupset_init(&iconset);
+    cli_icongroupset_add(grp1 ? grp1 : "*", &iconset, 0, ctx);
+    cli_icongroupset_add(grp2 ? grp2 : "*", &iconset, 1, ctx);
+    return cli_match_icon(&iconset, ctx);
+}
+
 int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode)
 {
    int ret = CL_EMEM;
@ -454,6 +465,14 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli
 	    evalcnt = 0;
 	    evalids = 0;
 	    if(cli_ac_chklsig(troot->ac_lsigtable[i]->logic, troot->ac_lsigtable[i]->logic + strlen(troot->ac_lsigtable[i]->logic), tdata.lsigcnt[i], &evalcnt, &evalids, 0) == 1) {
+		if(troot->ac_lsigtable[i]->tdb.icongrp1 || troot->ac_lsigtable[i]->tdb.icongrp2) {
+		    if(matchicon(ctx, troot->ac_lsigtable[i]->tdb.icongrp1, troot->ac_lsigtable[i]->tdb.icongrp2) == CL_VIRUS) {
+			ret = CL_VIRUS;
+			break;
+		    } else {
+			continue;
+		    }
+		}
 		if (!troot->ac_lsigtable[i]->bc) {
 		    if(ctx->virname)
 			*ctx->virname = troot->ac_lsigtable[i]->virname;
--- a/libclamav/matcher.h
+++ b/libclamav/matcher.h
@ -54,8 +54,11 @@ struct cli_lsig_tdb {

    const uint32_t *target;
    const uint32_t *engine, *nos, *ep;
+    /*
    const uint32_t *sectoff, *sectrva, *sectvsz, *sectraw, *sectrsz,
 		   *secturva, *sectuvsz, *secturaw, *sectursz;
+    */
+    const char *icongrp1, *icongrp2;
 #ifdef USE_MPOOL
    mpool_t *mempool;
 #endif
--- a/libclamav/readdb.c
+++ b/libclamav/readdb.c
@ -923,9 +923,13 @@ struct lsig_attrib {
 static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
 {
 	struct lsig_attrib attrtab[] = {
-#define ATTRIB_TOKENS	2
+#define ATTRIB_TOKENS	4
 	    { "Target",	    CLI_TDB_UINT,	(void **) &tdb->target	    },
 	    { "Engine",	    CLI_TDB_RANGE,	(void **) &tdb->engine	    },
+
+	    { "IconGroup1", CLI_TDB_STR,	(void **) &tdb->icongrp1    },
+	    { "IconGroup2", CLI_TDB_STR,	(void **) &tdb->icongrp2    },
+
 /*
 	    { "NoS",	    CLI_TDB_RANGE,	(void **) &tdb->nos	    },
 	    { "EP",	    CLI_TDB_RANGE,	(void **) &tdb->ep	    },
@ -1151,6 +1155,12 @@ static int load_oneldb(char *buffer, int chkpua, int chkign, struct cl_engine *e
 	return CL_SUCCESS;
    }

+    if((tdb.icongrp1 || tdb.icongrp2) && tdb.target[0] != 1) {
+	cli_errmsg("cli_loadldb: IconGroup is only supported in PE (target 1) signatures\n");
+	FREE_TDB(tdb);
+	return CL_EMALFDB;
+    }
+
    root = engine->root[tdb.target[0]];

    lsig = (struct cli_ac_lsig *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_ac_lsig));